VPN Troubleshooting
VPN Problems
Links & Infos
IKEv2
Internet Key Exchange Protocol Version 2 (IKEv2)
https://tools.ietf.org/html/rfc5996
Check Point Probleme mit IKEv2
How do I change the local id for an IKEv2 IPsec VPN?
https://community.checkpoint.com/t5/Remote-Access-VPN/How-do-I-change-the-local-id-for-an-IKEv2-IPsec-VPN/m-p/14786
IKEv2 negotiation for Site-to-Site VPN tunnel with 3rd party peer fails if IKEv2 SA payload contains more than 8 proposals
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk112139
When Check Point peer is initiator of IKEv2 negotiation, FQDN not being sent
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108817
Debugging IKEv2 on Check Point
- Use Ike debug to validate and understand how both devices are negotiating the parameters
disable acceleration if you can:
fwaccel off
vpn debug ikeon
vpn debug trunc
Get the file ikev2.xml and check the proposal for both side.
Read the file vpnd.elg and try to find any inconsistencies.
- IKE is the same for all players, the problem is configuration. Many times, the devices try to send parameters differently of what you expect they do.
- Check Point firewalls try to summarize the networks inside the encryption domain, this is called supernetting.
It will try to summarize at maximum possible and will send that summarization in place of original one.
If you have two subnets /24 it will try to send a /23. - Route based VPN is more flexible than domain based and you can have both configured. Use it if you can.
- I don't know if there's a new version for ikeview.exe capable to read ikev2.
xmll.xml.
Check on support center and if possible use its the best tool to troubleshoot VPN problems on Check Point side. - Disable debug after all
vpn debug off